This has been going on for years, Google knows about it, and intentionally leaves it unfixed.

> Out of 47 Indian apps I randomly analyzed, 31 of them used the "ACTION_MAIN" filter - giving them access to see all the apps on your phone without any disclosure. That's 2 out of 3 apps.

Of course there's hundreds of other variants of malware, this is just one of the most prevalent.